Those who work in electronic payments know the risks from criminals constantly trying to steal sensitive payment data. Small-business owners, however, may not. Eighty-nine percent of them say there is low to no risk of their businesses facing a data compromise.

That startling stat comes from the recently released 2019 ControlScan/MAC SMB Payment Security Survey. Only 10% of the more than 6,500 small-business operators surveyed thought there was a medium risk and 1% said they were at high risk.

That perception changes, however, if a merchant has experienced a data breach. Of those who were previously breached, 20% said their company faced a high risk if they had another data compromise. Thirty-six percent said medium risk. The largest group, 41%, said low risk, compared with 69% of those never breached. Only 3% of those that had been breached thought the risk of another one was none. That compares with 21% of those with no breach experience.

Bucolo: “Third-party dependencies are still the biggest areas of data security risk for U.S. businesses.”

“While the group of previously-breached respondents is (as a whole) more concerned than their counterparts about future risk, 44% still view their risk as low-to-none,” Chris Bucolo, vice president of market strategy at Atlanta-based ControlScan, tells Digital Transactions News in an email.

“The reason for this could be because compromised businesses often go through a formal forensics and remediation process that results in a higher level of confidence,” he says. “In addition, these businesses are usually adding these security layers quickly and at their own expense. When we pay for things, we see them as valuable and believe them to be effective. As long as they do not get complacent once they implement the changes, it is a good thing. In other words, security and compliance are ongoing processes and not something you simply establish and forget about.”

Who is responsible for data security at a small or mid-sized business often differs based on the size of the company, too. Of those with 10 or fewer employees, the chief executive or owner handled data security for 74%. Only 14% assigned the responsibility to a manager; 1% to operations or information-technology personnel; 5% to finance personnel; 3% to administrative personnel; and 2% to employees in other roles.

In contrast, of businesses with more than 100 employees, 60% assigned the duty to operations or IT staff; followed by a manager, 19%; chief executive or owner, 15%; and finance personnel, 6%.

In many instances, small businesses hire a third-party for risk mitigation and to help with PCI Security Standards Council compliance requirements. Doing so, however, does not relinquish the business’s obligation to monitor risk, Bucolo says.

“On the one hand, if you rely more on trusted parties it should lessen your risk in some ways,” he says. “But if you outsource and forget it you are still rolling the dice: A) It does not absolve you of needing to manage your own areas of risk—i.e., areas of your business that are under your direct control, and B) You cannot just assume all is well when it comes to third parties.”

Indeed, only 38% of merchants place high importance on the PCI compliance of their service providers.

“Third-party dependencies are still the biggest areas of data security risk for U.S. businesses,” Bucolo says. “It is critical that SMBs understand exactly what security requirements each of their third-party service providers covers and what they themselves are responsible for.”

ControlScan conducted the survey in January for the Merchant Acquirers’ Committee, a trade group of merchant-acquiring banks, independent sales organizations, and other payments firms as well as law-enforcement organizations.